b'   COMPLIANCE WITH STANDARDS GOVERNING\n COMBINED DNA INDEX SYSTEM ACTIVITIES AT THE\nHOUSTON POLICE DEPARTMENT CRIME LABORATORY\n              HOUSTON, TEXAS\n\n\n            U.S. Department of Justice\n          Office of the Inspector General\n                   Audit Division\n\n\n        Audit Report Number GR-60-10-009\n                 September 2010\n\x0c       COMPLIANCE WITH STANDARDS GOVERNING\n     COMBINED DNA INDEX SYSTEM ACTIVITIES AT THE\n    HOUSTON POLICE DEPARTMENT CRIME LABORATORY\n                   HOUSTON, TEXAS\n\n                              EXECUTIVE SUMMARY\n\n\n      The Department of Justice Office of the Inspector General (OIG), Audit\nDivision, has completed an audit of compliance with standards governing\nCombined DNA Index System (CODIS) activities at the Houston Police\nDepartment Crime Laboratory (Laboratory).\n\nBackground\n\n      The Federal Bureau of Investigation\xe2\x80\x99s (FBI) CODIS program combines\nforensic science and computer technology to provide an investigative tool to\nfederal, state, and local crime laboratories in the United States, as well as\nthose from select international law enforcement agencies. The CODIS\nprogram allows these crime laboratories to compare and match DNA profiles\nelectronically to assist law enforcement in solving crimes and identifying\nmissing or unidentified persons. 1 The FBI\xe2\x80\x99s CODIS Unit manages CODIS, as\nwell as develops, supports, and provides the program to crime laboratories\nto foster the exchange and comparison of forensic DNA evidence.\n\n      The FBI implemented CODIS as a distributed database with\nhierarchical levels that enable federal, state, and local crime laboratories to\ncompare DNA profiles electronically. The hierarchy consists of three distinct\nlevels that flow upward from the local level to the state level and then, if\nallowable, the national level. The National DNA Index System (NDIS), the\nhighest level in the hierarchy, is managed by the FBI as the nation\xe2\x80\x99s DNA\ndatabase containing DNA profiles uploaded by law enforcement agencies\nacross the United States. NDIS enables the laboratories participating in the\nCODIS program to electronically compare DNA profiles on a national level.\nThe State DNA Index System (SDIS) is used at the state level to serve as a\nstate\xe2\x80\x99s DNA database containing DNA profiles from local laboratories and\n\n\n       1\n          DNA, or deoxyribonucleic acid, is genetic material found in almost all living cells\nthat contains encoded information necessary for building and maintaining life.\nApproximately 99.9-percent of human DNA is the same for all people. The differences\nfound in the remaining 0.1 percent allow scientists to develop a unique set of DNA\nidentification characteristics (a DNA profile) for an individual by analyzing a specimen\ncontaining DNA.\n\n\n                                               i\n\x0cstate offenders. The Local DNA Index System (LDIS) is used by local\nlaboratories.\n\nOIG Audit Objectives\n\n      We conducted our audit from April 2008 to April 2010. The objectives\nof our audit were to determine if: (1) the Houston Police Department Crime\nLaboratory was in compliance with the NDIS participation requirements;\n(2) the Laboratory was in compliance with the Quality Assurance Standards\n(QAS) issued by the FBI; and (3) the Laboratory\xe2\x80\x99s forensic DNA profiles in\nCODIS databases were complete, accurate, and allowable for inclusion in\nNDIS.\n\n       Our review determined the following:\n\n       \xe2\x80\xa2   With regard to the Laboratory\xe2\x80\x99s compliance with NDIS participation\n           requirements, we found that the Laboratory did not have a policy to\n           maintain personnel records for the 10 years required by the FBI\xe2\x80\x99s\n           NDIS operational procedures manual. 2 In response to this finding,\n           the Laboratory revised its DNA Standard Operating Procedure\n           manual to reflect the 10-year retention requirement. The\n           Laboratory\xe2\x80\x99s actions address our concern regarding this issue. The\n           Laboratory was in compliance with the other NDIS participation\n           requirements we reviewed.\n\n       \xe2\x80\xa2   We reviewed the Laboratory\xe2\x80\x99s compliance with the FBI\xe2\x80\x99s Quality\n           Assurance Standards. As part of our review, we provided the FBI\n           with the list of the Houston Police Department\xe2\x80\x99s analysts who\n           conducted the most recent internal audit and auditors from outside\n           laboratories who conducted the most recent external audit to\n           determine if they had completed the required FBI DNA auditor\n           training course prior to the audit. The FBI personnel informed us\n           that the two auditors who performed the Houston Laboratory\xe2\x80\x99s\n           internal audit in October 2008 had not taken this required course.\n           As a result, we recommend that the FBI ensure that the Laboratory\n           implements procedures to verify that an FBI-trained DNA auditor is\n           on the audit team for all audits required by the Quality Assurance\n           Standards. We found that the Laboratory was in compliance with\n           the remaining Quality Assurance Standards we reviewed.\n\n\n       2\n          The Houston Police Department refers to the files that contain analysts\xe2\x80\x99 proficiency\ntesting results as quality files. However, for the purposes of this audit, personnel records\nare defined as records for all approved CODIS users, including reports concerning\nproficiency testing and any other report required by the FBI.\n\n\n                                              ii\n\x0c     \xe2\x80\xa2   We reviewed 100 DNA profiles in the Laboratory\xe2\x80\x99s forensic CODIS\n         database and determined that all but 3 were complete, accurate,\n         and allowable for inclusion in NDIS. We found two profiles that\n         were inaccurate and one that was unallowable for upload to NDIS.\n         The Laboratory deleted the unallowable profile and corrected the\n         two inaccurate profiles in NDIS. Therefore, we make no\n         recommendations regarding this issue. The remaining 97 profiles\n         reviewed were complete, accurate, and allowable for inclusion in\n         NDIS.\n\n      To address the Laboratory\xe2\x80\x99s compliance with standards governing\nCODIS activities, we recommended that the FBI ensure that the Laboratory\nimplements procedures to verify that an FBI-trained DNA auditor is on the\naudit team for all QAS\xe2\x80\x93required audits.\n\n       Our audit objectives, scope, and methodology are detailed in Appendix\nI of the report, and the audit criteria are detailed in Appendix II.\n\n\n\n\n                                     iii\n\x0c                               TABLE OF CONTENTS\n\n\nINTRODUCTION ................................................................................ 1\n   Legal Foundation for CODIS ............................................................... 1\n   CODIS Structure .............................................................................. 2\n   Laboratory Information ..................................................................... 6\n\nFINDINGS AND RECOMMENDATIONS................................................ 7\n   I.    Compliance with NDIS Participation Requirements .......................... 7\n   II.   Compliance with the Quality Assurance Standards ........................ 10\n   III. Suitability of Forensic DNA Profiles in CODIS Databases................ 13\n\nAPPENDIX I: OBJECTIVES, SCOPE, AND METHODOLOGY ............... 15\n\nAPPENDIX II: AUDIT CRITERIA ..................................................... 18\n   NDIS Participation Requirements ...................................................... 18\n   Quality Assurance Standards ........................................................... 18\n   Office of the Inspector General Standards ......................................... 20\n\nAPPENDIX III: FEDERAL BUREAU OF INVESTIGATION RESPONSE\n              TO THE DRAFT REPORT ...........................................22\n\nAPPENDIX IV: HOUSTON POLICE DEPARTMENT RESPONSE\n             TO THE DRAFT REPORT ............................................23\n\nAPPENDIX V: OFFICE OF THE INSPECTOR GENERAL, AUDIT\n            DIVISION, ANALYSIS AND SUMMARY OF ACTIONS\n            NECESSARY TO CLOSE THE REPORT ..........................25\n\x0c       COMPLIANCE WITH STANDARDS GOVERNING\n     COMBINED DNA INDEX SYSTEM ACTIVITIES AT THE\n    HOUSTON POLICE DEPARTMENT CRIME LABORATORY\n                   HOUSTON, TEXAS\n\n                                 INTRODUCTION\n\n\n      The Department of Justice Office of the Inspector General Audit\nDivision, has completed an audit of compliance with standards governing\nCombined DNA Index System (CODIS) activities at the Houston Police\nDepartment Crime Laboratory (Laboratory).\n\n       The Federal Bureau of Investigation\xe2\x80\x99s (FBI) CODIS program provides\nan investigative tool to federal, state, and local crime laboratories in the\nUnited States using forensic science and computer technology. The CODIS\nprogram allows laboratories to compare and match DNA profiles\nelectronically, thereby assisting law enforcement in solving crimes and\nidentifying missing or unidentified persons. 3 The FBI\xe2\x80\x99s CODIS Unit manages\nCODIS and is responsible for its use in fostering the exchange and\ncomparison of forensic DNA evidence.\n\n       The objectives of our audit were to determine if the: (1) Laboratory\nwas in compliance with the National DNA Index System (NDIS) participation\nrequirements; (2) Laboratory was in compliance with the Quality Assurance\nStandards (QAS) issued by the FBI; and (3) Laboratory\xe2\x80\x99s forensic DNA\nprofiles in CODIS databases were complete, accurate, and allowable for\ninclusion in NDIS. Appendix I contains a detailed description of our audit\nobjectives, scope, and methodology, while the criteria used to conduct our\naudit are presented in Appendix II.\n\nLegal Foundation for CODIS\n\n      The FBI began the CODIS program as a pilot project in 1990. The\nDNA Identification Act of 1994 (Act) authorized the FBI to establish a\nnational index of DNA profiles for law enforcement purposes. The Act, along\n\n\n\n       3\n         DNA, or deoxyribonucleic acid, is genetic material found in almost all living cells\nthat contains encoded information necessary for building and maintaining life.\nApproximately 99.9 percent of human DNA is the same for all people. The differences found\nin the remaining 0.1 percent allow scientists to develop a unique set of DNA identification\ncharacteristics (a DNA profile) for an individual by analyzing a specimen containing DNA.\n\x0cwith subsequent amendments, has been codified in a federal statute\n(Statute) providing the legal authority to establish and maintain NDIS. 4\n\nAllowable DNA Profiles\n\n      The Statute authorizes NDIS to contain the DNA identification records\nof persons convicted of crimes, persons who have been charged in an\nindictment or information with a crime, and other persons whose DNA\nsamples are collected under applicable legal authorities. Samples voluntarily\nsubmitted solely for elimination purposes are not authorized for inclusion in\nNDIS. The Statute also authorizes NDIS to include analysis of DNA samples\nrecovered from crime scenes or from unidentified human remains, as well as\nthose voluntarily contributed from relatives of missing persons.\n\nAllowable Disclosure of DNA Profiles\n\n       The Statute requires that NDIS include only DNA information that is\nbased on analyses performed by or on behalf of a criminal justice agency \xe2\x80\x94\nor the U.S. Department of Defense \xe2\x80\x94 in accordance with QAS issued by the\nFBI. The DNA information in the index is authorized to be disclosed only:\n(1) to criminal justice agencies for law enforcement identification purposes;\n(2) in judicial proceedings, if otherwise admissible pursuant to applicable\nstatutes or rules; (3) for criminal defense purposes, to a defendant who shall\nhave access to samples and analyses performed in connection with the case\nin which the defendant is charged; or (4) if personally identifiable\ninformation (PII) is removed for a population statistics database, for\nidentification research and protocol development purposes, or for quality\ncontrol purposes.\n\nCODIS Structure\n\n       The FBI implemented CODIS as a distributed database with\nhierarchical levels that enables federal, state, and local crime laboratories to\ncompare DNA profiles electronically. CODIS consists of a hierarchy of three\ndistinct levels: (1) NDIS is managed by the FBI as the nation\xe2\x80\x99s DNA\ndatabase containing DNA profiles uploaded by participating states, (2) the\nState DNA Index System (SDIS) is used at the state level to serve as a\nstate\xe2\x80\x99s DNA database containing DNA profiles from local laboratories within\nthe state and state offenders, and (3) the Local DNA Index System (LDIS) is\nused by local laboratories. DNA profiles originate at the local level and then\nflow upward to the state and, if allowable, national level. For example, the\nlocal laboratory in the Palm Beach County, Florida, Sheriff\xe2\x80\x99s Office sends its\n\n      4\n          42 U.S.C.A. \xc2\xa7 14132 (2006).\n\n\n                                        -2-\n\x0cprofiles to the state laboratory in Tallahassee, which then uploads the\nprofiles to NDIS. Each state participating in CODIS has one designated SDIS\nlaboratory. The SDIS laboratory maintains its own database and is\nresponsible for overseeing NDIS issues for all CODIS-participating\nlaboratories within the state. The graphic below presents an example of how\nthe system hierarchy works.\n\n                 Example of System Hierarchy within CODIS\n\n                                              NDIS\n                                   Maintained by the FBI\n\n\n\n\nSDIS                            SDIS                             SDIS\nLaboratory                      Laboratory                       Laboratory\nRichmond, CA                    Springfield, IL                  Tallahassee, FL\n\n\n\n                                  LDIS Laboratories (partial list):\n                                  DuPage County Sheriff\xe2\x80\x99s Office\n                                  Illinois State Police, Chicago\n                                  Illinois State Police, Rockford\n\n LDIS Laboratories (partial list):                       LDIS Laboratories (partial list):\n Orange County Sheriff\xe2\x80\x99s Department                      Broward County Sheriff\xe2\x80\x99s Office\n San Bernardino County Sheriff\xe2\x80\x99s Department              Miami-Dade Police Department\n San Diego Police Department                             Palm Beach County Sheriff\xe2\x80\x99s Office\n\n\n\nNational DNA Index System\n\n      NDIS is the highest level in the CODIS hierarchy and enables the\nlaboratories participating in the CODIS program to electronically compare\nDNA profiles on a national level. NDIS does not contain names or other PII\nabout the profiles. Therefore, matches are resolved through a system of\nlaboratory-to-laboratory contacts. Within NDIS are seven searchable indices\ndiscussed below.\n\n      \xe2\x80\xa2   Convicted Offender Index contains profiles generated from persons\n          convicted of qualifying offenses. 5\n\n\n\n      5\n        The phrase \xe2\x80\x9cqualifying offenses\xe2\x80\x9d is used here to refer to local, state, or federal\n crimes that require a person to provide a DNA sample in accordance with applicable laws.\n\n\n                                              -3-\n\x0c      \xe2\x80\xa2   Arrestee Index is comprised of profiles developed from persons who\n          have been arrested, indicted, or charged in an information with a\n          crime.\n\n      \xe2\x80\xa2   Legal Index consists of profiles that are produced from DNA\n          samples collected from persons under other applicable legal\n          authorities. 6\n\n      \xe2\x80\xa2   Forensic Index profiles originate from, and are associated with,\n          evidence found at crime scenes.\n\n      \xe2\x80\xa2   Missing Person Index contains known DNA profiles of missing\n          persons and deduced missing persons.\n\n      \xe2\x80\xa2   Unidentified Human (Remains) Index holds profiles from\n          unidentified living individuals and the remains of unidentified\n          deceased individuals. 7\n\n      \xe2\x80\xa2   Relatives of Missing Person Index is comprised of DNA profiles\n          generated from the biological relatives of individuals reported\n          missing.\n\n      Although CODIS is comprised of multiple indices or databases, the two\nmain functions of the system are to: (1) generate investigative leads that\nmay help in solving crimes; and (2) identify missing and unidentified\npersons.\n\n       The Forensic Index generates investigative leads in CODIS that may\nhelp solve crimes. Investigative leads may be generated through matches\nbetween the Forensic Index and other indices in the system, including the\nConvicted Offender, Arrestee, and Legal Indices. These matches may\nprovide investigators with the identity of suspected perpetrators. CODIS\nalso links crime scenes through matches between Forensic Index profiles,\npotentially identifying serial offenders.\n\n      In addition to generating investigative leads, CODIS furthers the\nobjectives of the FBI\xe2\x80\x99s National Missing Person DNA Database program\nthrough its ability to identify missing and unidentified individuals. Those\npersons may be identified through matches between indices in CODIS, such\n\n      6\n        An example of a Legal Index profile is one from a person found not guilty by\n reason of insanity who is required by the relevant state law to provide a DNA sample.\n\n      7\n         An example of an Unidentified Human (Remains) Index profile from a living person\n is a profile from a child or other individual who cannot or refuses to identify themselves.\n\n\n                                          -4-\n\x0cas through matches between the profiles in the Missing Persons Index and\nthe Unidentified Human (Remains) Index. Identifications may also be\ngenerated through matches between the Unidentified Persons Index and the\nRelatives of Missing Persons Index. The profiles within the Missing Persons\nand Unidentified Human (Remains) Indices may also be vetted against the\nForensic, Convicted Offender, Arrestee, and Legal Indices to provide\ninvestigators with leads in solving missing and unidentified persons cases.\n\nState and Local DNA Index System\n\n       The FBI provides CODIS software free of charge to any state or local\nlaw enforcement laboratory performing DNA analysis. Laboratories are able\nto use the CODIS software to upload profiles to NDIS. However, before a\nlaboratory is allowed to participate at the national level and upload DNA\nprofiles to NDIS, a Memorandum of Understanding (MOU) must be signed\nbetween the FBI and the applicable state\xe2\x80\x99s SDIS laboratory. The MOU\ndefines the responsibilities of each party, includes a sublicense for the use of\nCODIS software, and delineates the standards laboratories must meet in\norder to utilize NDIS. Although officials from LDIS laboratories do not sign\nan MOU, LDIS laboratories that upload DNA profiles to an SDIS laboratory\nare required to adhere to the MOU signed by the SDIS laboratory.\n\n       States are authorized to upload DNA profiles to NDIS based on local,\nstate, and federal laws, as well as NDIS regulations. However, states or\nlocalities may maintain NDIS-restricted profiles in SDIS or LDIS. For\ninstance, a local law may allow for the collection and maintenance of a\nvictim profile at LDIS but NDIS regulations do not authorize the upload of\nthat profile to the national level.\n\n       The utility of CODIS relies upon the completeness, accuracy, and\nquantity of profiles that laboratories upload to the system. Incomplete\nCODIS profiles are those for which the required number of core loci were not\ntested or do not contain all of the DNA information that resulted from a DNA\nanalysis and may not be searched at NDIS. The probability of a false match\namong DNA profiles is reduced as the completeness of a profile increases.\nInaccurate profiles, which contain incorrect DNA information or an incorrect\nspecimen number, may generate false positive leads, false negative\ncomparisons, or lead to the misidentification of a sample. CODIS becomes\nmore useful as the quantity of DNA profiles in the system increases because\nthe potential for additional leads rises. However, laws and regulations\nexclude certain types of profiles from being uploaded to CODIS to prevent\nviolations to an individual\xe2\x80\x99s privacy and foster the public\xe2\x80\x99s confidence in\nCODIS. Therefore, it is the responsibility of the Laboratory to ensure that it\n\n\n\n                                     -5-\n\x0cis adhering to the NDIS participation requirements and the profiles uploaded\nto CODIS are complete, accurate, and allowable for inclusion in NDIS.\n\nLaboratory Information\n\n        The Houston Police Department Crime Laboratory is a Local DNA Index\nSystem laboratory. The Laboratory serves the Houston Police Department,\nwhich covers a population of approximately 2 million. The Laboratory\xe2\x80\x99s\ninitial access to CODIS began in 1998.\n\n       According to the Director of the Houston Police Department Crime\nLaboratory, the Houston Police Department\xe2\x80\x99s Chief of Police requested\ndeactivation from CODIS in March 2003 due to concerns about the quality of\nthe analyses being performed. The Laboratory had serious problems ranging\nfrom poor documentation to serious analytical and interpretive errors that\nresulted in highly questionable results being reported by the Laboratory.\nSubsequently, an independent investigation conducted by Michael Bromwich,\na former DOJ Inspector General, found that some of the weaknesses in the\nLaboratory included the absence of a quality assurance program,\ninadequately trained analysts, poor analytical technique, incorrect\ninterpretation of data, characterizing of results as inconclusive when that\nwas not the result, and the lack of meaningful and competent technical\nreviews. 8 According to the Laboratory Director, this situation was remedied\nby: (1) a comprehensive review and re-testing of previously tested DNA\ncases; (2) replacement of staff conducting DNA testing, including the DNA\nTechnical Leader and Laboratory Director; and (3) the implementation of an\nextensive quality assurance program that included training of remaining\nstaff.\n\n      The Laboratory began analyzing forensic DNA samples again after\nreceiving accreditation from the American Society of Crime Laboratory\nDirectors/Laboratory Accreditation Board (ASCLD/LAB) in June 2006. The\nLaboratory is due for reaccreditation in June 2012. The Laboratory began\nuploading profiles into SDIS in February 2007. The Laboratory does not\nprocess convicted offender samples and outsourced analysis of some\nforensic DNA samples with the LabCorp, Orchid Cellmark, Sorenson, and\nStrand Forensic laboratories.\n\n\n\n\n      8\n        Final Report of the Independent Investigator for the Houston Police Department\nCrime Laboratory and Property Room, June 13, 2007, led by Michael Bromwich,\nIndependent Investigator.\n\n\n                                          -6-\n\x0c               FINDINGS AND RECOMMENDATIONS\n\n\n      I. Compliance with NDIS Participation Requirements\n\n      The OIG review examined the Houston Police Department Crime\n      Laboratory\xe2\x80\x99s compliance with NDIS participation requirements.\n      Our review found that the Laboratory did not have a policy for\n      the retention of its personnel records, including the DNA\n      analysts\xe2\x80\x99 proficiency tests, for the required 10 years. We also\n      found that the Laboratory was in compliance with the 30-day\n      timeframe for submission of the external audit to the NDIS\n      Custodian, all Laboratory personnel had completed their annual\n      training, and NDIS matches were confirmed in a timely manner.\n\n      The NDIS participation requirements, which consist of the MOU and\nNDIS Procedure Manual, establish the responsibilities and obligations of\nlaboratories that participate in the CODIS program at the national level. The\nMOU describes the CODIS-related responsibilities of both the Laboratory and\nthe FBI. The NDIS Procedure Manual is comprised of the NDIS operational\nprocedures and provides detailed instructions for laboratories to follow when\nperforming certain procedures pertinent to NDIS. The NDIS participation\nrequirements we reviewed are described in more detail in Appendix II of this\nreport.\n\nResults of the OIG Review\n\n       We noted one exception to the Laboratory\xe2\x80\x99s compliance with the NDIS\nparticipation requirements. Specifically, we found that the Laboratory did\nnot have a policy in place to maintain all necessary personnel records for the\nrequired 10 years. The results of our audit are described in more detail\nbelow.\n\nPersonnel Records\n\n       The General Responsibilities Procedure states that the NDIS\nParticipating Laboratory has to maintain records of CODIS users, including\nreports concerning proficiency testing and other records or audits required\nby the FBI for 10 years. It is the Houston Laboratory\xe2\x80\x99s policy to maintain\nthese records only until it receives reaccreditation, which is usually a 5-year\ntimeframe. However, the Houston Laboratory\xe2\x80\x99s Quality Manager stated that\nthe Laboratory had not destroyed any personnel records since 2007 when\nthe Laboratory began participating in NDIS again. When we brought the\npotential discrepancy to her attention, she immediately amended the\n\n\n                                     -7-\n\x0cLaboratory\xe2\x80\x99s DNA Standard Operating Procedure manual to reflect the\nrequired 10-year timeframe as outlined in the NDIS manual.\n\n      We found that the Laboratory complied with other NDIS participation\nrequirements we reviewed, as described below.\n\n  \xe2\x80\xa2   NDIS operational procedures require that CODIS be physically and\n      electronically safeguarded from unauthorized use and only accessible\n      to limited approved personnel. The Laboratory\xe2\x80\x99s CODIS work station\n      and server is housed in the DNA Laboratory and only personnel\n      assigned to the DNA Laboratory have access to this space. All users\n      have their own CODIS user account, and their screens lock after 10\n      minutes of inactivity. The CODIS Administrator makes weekly backups\n      and transfers them electronically to a secure off-site facility.\n\n  \xe2\x80\xa2   NDIS operational procedures require that CODIS users are provided\n      copies of NDIS procedures and understand and abide by them. We\n      interviewed three of the Laboratory\xe2\x80\x99s CODIS users and verified they\n      knew where to find and access the procedures in the Laboratory.\n\n  \xe2\x80\xa2   On an annual basis, CODIS users are required to successfully complete\n      DNA Records Acceptance training annually. We verified with the FBI\n      that all current CODIS users had completed the web-based training\n      within the last year.\n\n  \xe2\x80\xa2   The FBI requires the Laboratory submit documentation regarding\n      CODIS users. We verified that the Laboratory submitted all required\n      information for each CODIS user to the FBI.\n\n  \xe2\x80\xa2   NDIS procedures describe a required match confirmation process when\n      matches are identified in CODIS. We judgmentally selected a sample\n      of 5 out of 46 NDIS matches and found the Laboratory to be timely in\n      match confirmation requests, match confirmations, confirmation\n      dispositions, and the notification to investigators of forensic matches.\n\n  \xe2\x80\xa2   The NDIS operational procedure manual requires that external quality\n      assurance audit reports be forwarded to the NDIS custodian within\n      30 days of the Laboratory\xe2\x80\x99s receipt of the report. We reviewed the\n      submission of the most recent external audit and found that the report\n      was submitted to the NDIS custodian in a timely manner.\n\n\n\n\n                                    -8-\n\x0cConclusion\n\n       The Laboratory\xe2\x80\x99s policy manual did not require the maintenance of all\nnecessary personnel records for the required 10 years. When we brought\nthis issue to the attention of the Laboratory\xe2\x80\x99s management, it made\ncorrections to address this issue. Therefore, we make no recommendations\nconcerning our review of NDIS participation requirements.\n\n\n\n\n                                    -9-\n\x0c      II. Compliance with the Quality Assurance Standards\n\n\n      As a result of our review of the Laboratory\xe2\x80\x99s compliance with the\n      Quality Assurance Standards (QAS), we found that the\n      Laboratory did not have an auditor on its internal audit team\n      who had completed the required FBI DNA auditor training course\n      prior to engaging in the audit. We did not identify any additional\n      concerns with regard to the Laboratory\xe2\x80\x99s compliance with the\n      QAS for the remainder portions of our review.\n\n     During our audit, we considered the Forensic QAS issued by the FBI. 9\nThese standards describe the quality assurance requirements that the\nLaboratory must follow to ensure the quality and integrity of the data it\nproduces. The QAS we reviewed are described in more detail in Appendix II.\n\nResults of the OIG Review\n\n      We noted one exception to the Laboratory\xe2\x80\x99s compliance with the\nForensic QAS. Specifically, we found that an internal auditor lacked FBI DNA\nauditor training. The results of our audit are described in more detail below.\n\nInternal Auditor\xe2\x80\x99s Lack of FBI DNA Auditor Training\n\n      According to the FBI\xe2\x80\x99s QAS Audit Guide for DNA Testing Laboratories,\nregardless of the type of audit (internal or external) it is the laboratory\xe2\x80\x99s\nresponsibility to ensure that there is at least one person on the audit team\nwho is a qualified DNA auditor. The auditor on the audit team must have\ncompleted the FBI\xe2\x80\x99s required DNA training course. In order to determine if\nthe Laboratory was in compliance with the requirement, we sent the names\nof the Houston Police Department\xe2\x80\x99s analysts who conducted the most recent\ninternal audit to determine if they had completed the training prior to the\naudit, which began in October 2008. FBI personnel informed us that the two\nauditors who completed the Laboratory\xe2\x80\x99s internal audit in October 2008 had\nnot completed the FBI DNA auditor training as of that date. As a result, we\nrecommend that the FBI ensure that the Laboratory implements procedures\nto verify that an FBI-trained DNA auditor is on the audit team for all QAS-\nrequired audits.\n\n\n\n\n      9\n         Forensic Quality Assurance Standards refers to the Quality Assurance Standards\nfor Forensic DNA Testing Laboratories, effective July 1, 2009.\n\n\n                                         - 10 -\n\x0c      We took no exception with the remaining areas of our review of the\nLaboratory\xe2\x80\x99s compliance with the QAS. The results for these remaining\nareas are described below.\n\n  \xe2\x80\xa2   The QAS requires that state laboratories undergo an annual audit,\n      including an external audit every 2 years. We determined that the\n      Laboratory complied with the requirement by undergoing an annual\n      audit and alternating between an internal or an external audit each\n      year.\n\n  \xe2\x80\xa2   We obtained the most recent external and internal audit reports for\n      the Laboratory. We determined that for both audits the FBI audit\n      document was used and adequate corrective actions for audit findings\n      were developed by the Laboratory. The internal audit report had one\n      instance of noncompliance, and it was adequately corrected. The\n      external audit report did not contain any findings.\n\n  \xe2\x80\xa2   We verified that the entrances to the Laboratory were properly secured\n      and controlled with an alarm system, employee scan cards, and a\n      receptionist for the public entrance to prevent access by unauthorized\n      personnel. Areas within the Laboratory were also adequately\n      controlled with scan cards. Overall security at the Laboratory\n      appeared to be adequate and in compliance with the QAS.\n\n  \xe2\x80\xa2   The integrity of physical evidence samples is maintained by the\n      Laboratory in accordance with the QAS. The chain of custody for\n      evidence originates in the Property Room where all forensic samples\n      are logged into the system. The Laboratory does not have the\n      capability to electronically track forensic evidence so the Laboratory\n      maintains a paper chain of custody for all forensic evidence within the\n      pertinent case files. Evidence samples are properly stored from the\n      point of receipt through processing. To ensure the accuracy of data\n      loaded into the database, the Laboratory technically reviews all case\n      files and completes checklists prior to uploading samples to CODIS.\n\n  \xe2\x80\xa2   We interviewed the CODIS Administrator and reviewed policies and\n      practices to determine that the Laboratory policies and practices\n      regarding the separation of known and unknown samples during the\n      analysis process appear to be adequate.\n\n  \xe2\x80\xa2   We interviewed the CODIS Administrator and toured the Laboratory to\n      determine that the Laboratory appeared to be in compliance with\n      forensic standards governing the retention of samples and extracted\n      DNA after analysis.\n\n\n                                    - 11 -\n\x0c  \xe2\x80\xa2   The Laboratory contracted out the analysis of forensic samples in the\n      past 2 years. We verified that the subcontractors underwent QAS\n      audits, the Laboratory reviewed the integrity of all samples received\n      from vendors, and each contractor met the specific testing and\n      reporting requirements detailed in their contracts. Therefore, we\n      found that the Laboratory is in compliance with the QAS with respect\n      to subcontractor monitoring.\n\n  \xe2\x80\xa2   We determined that the Laboratory has adequate procedures to verify\n      the integrity of contractor data. Specifically, the Laboratory performs\n      in-house reviews of the data from the vendor laboratories for each\n      sample analyzed. Based on our audit, we determined that the\n      Laboratory\xe2\x80\x99s actions help ensure the integrity of outsourced DNA\n      analysis as required by the QAS.\n\n  \xe2\x80\xa2   We reviewed documentation that the Laboratory has conducted on-site\n      reviews of all four vendor laboratories used and were found to be\n      sufficient to perform quality DNA analysis.\n\nConclusion\n\n      Based on the review of Laboratory and sample security, the Houston\nPolice Department Laboratory was in compliance with the FBI\xe2\x80\x99s QAS we\ntested with one exception. We make one recommendation concerning our\nreview of the Quality Assurance Standards.\n\nRecommendation\n\n      We recommend that the FBI:\n\n  1. Ensure that the Laboratory implements procedures to verify that an\n     FBI-trained DNA auditor is on the audit team for all QAS\xe2\x80\x93required\n     audits.\n\n\n\n\n                                    - 12 -\n\x0c       III. Suitability of Forensic DNA Profiles in CODIS Databases\n\n\n       We reviewed 100 DNA profiles in the Laboratory\xe2\x80\x99s forensic\n       CODIS database and determined that all but 3 were complete,\n       accurate, and allowable for inclusion in NDIS. We found two\n       profiles that were inaccurate and one that was unallowable for\n       upload to NDIS.\n\n       We reviewed a sample of the Laboratory\xe2\x80\x99s forensic DNA profiles to\ndetermine whether each profile was complete, accurate, and allowable for\ninclusion in NDIS. 10 To test the completeness and accuracy of each profile,\nwe established standards that require a profile include all the loci for which\nthe analyst obtained results and that the values at each locus match those\nidentified during analysis. 11 Our standards are described in more detail in\nAppendix II of this report.\n\n       The NDIS operational procedures establish the DNA data acceptance\nstandards by which laboratories must abide. These procedures prohibit a\nlaboratory from uploading forensic profiles to NDIS that clearly match the\nDNA profile of the victim or another known person, unless the known person\nis a suspected perpetrator. The NDIS procedures we reviewed are described\nin more detail in Appendix II of this report.\n\nResults of the OIG Review\n\n       We selected a random sample of 100 profiles out of the 740 forensic\nprofiles the Laboratory uploaded to NDIS as of March 25, 2010. Of the 100\nforensic profiles sampled, we found 2 profiles that were inaccurate and 1\nprofile that was unallowable for upload to NDIS. The remaining 97 profiles\nsampled were complete, accurate, and allowable for inclusion in NDIS. The\nspecific exceptions are explained in more detail below.\n\nOIG Sample Number CA-05\n\n      Sample number CA-05 was taken from a cutting of a cigarette butt.\nThe evidence was from a sexual assault case in which the crime had taken\nplace at the victim\xe2\x80\x99s home. The sample was taken from outside of a garage\ndoor of the victim\xe2\x80\x99s home. Additionally, the victim stated the perpetrator did\n\n       10\n           When a laboratory\xe2\x80\x99s universe of DNA profiles in NDIS exceeds 1,500, our sample\nis taken from SDIS rather than directly from NDIS. See Appendix I for further description of\nthe sample selection.\n\n       11\n            A \xe2\x80\x9clocus\xe2\x80\x9d is a specific location on a chromosome. The plural form of locus is loci.\n\n\n                                             - 13 -\n\x0cnot smell like cigarette smoke. There was no indication that the evidence\ncould be attributable to the crime scene. We could not clearly conclude that\nthis was allowable for upload to NDIS; therefore, the CODIS Administrator\nremoved the profile from NDIS while we were still conducting fieldwork.\n\nOIG Sample Numbers CA-19 and CA-35\n\n       Sample numbers CA-19 and CA-35 were uploaded to NDIS with an\ninaccurate value at locus D5 and TPOX, respectively. While we were\nconducting fieldwork in the Laboratory, the CODIS Administrator found\nerrors in the forensic profiles when she was doing a review of the files. She\ntold us that these were typographical errors that were overlooked during the\nfirst review. The CODIS Administrator removed the inaccurate forensic\nprofiles from NDIS and uploaded the corrected profiles while we were still\non-site. We were told that the Laboratory has since revised its procedures\nto require three different levels of review to prevent errors from being\noverlooked in the future.\n\nConclusion\n\n       We found two profiles that had an incorrect value at a locus and one\nprofile that was unallowable for upload to NDIS. However, the CODIS\nAdministrator removed the inaccurate forensic profiles from NDIS and\nuploaded the accurate profiles while we were still on-site. She also deleted\nthe unallowable profile from NDIS before we left the Laboratory. We make\nno recommendations concerning our review of forensic DNA profiles.\n\n\n\n\n                                    - 14 -\n\x0c                                                                           APPENDIX I\n\n\n             OBJECTIVES, SCOPE, AND METHODOLOGY\n\n\n      We conducted this performance audit in accordance with generally\naccepted government auditing standards. Those standards require that we\nplan and perform the audit to obtain sufficient, appropriate evidence to\nprovide a reasonable basis for our findings and conclusions based on our\naudit objectives. We believe the evidence obtained provides a reasonable\nbasis for our findings and conclusions based on our audit objectives.\n\n       Our audit generally covered the period from April 2008 through\nApril 2010. The objectives of the audit were to determine if the:\n(1) Laboratory was in compliance with the NDIS participation requirements;\n(2) Laboratory was in compliance with the Quality Assurance Standards\n(QAS) issued by the FBI; and (3) Laboratory\xe2\x80\x99s forensic DNA profiles in\nCODIS databases were complete, accurate, and allowable for inclusion in\nNDIS. To accomplish the objectives of the audit, we:\n\n   \xe2\x80\xa2   Examined internal and external Laboratory review reports and\n       supporting documentation for corrective action taken, if any, to\n       determine: (a) if the Laboratory complied with the QAS, (b) whether\n       repeat findings were identified, and (c) whether recommendations were\n       adequately resolved.12\n\n       In accordance with the QAS, the internal and external laboratory review\n       procedures are to address, at a minimum, a laboratory\xe2\x80\x99s quality\n       assurance program; organization and management; personnel\n       qualifications; facilities; evidence control; validation of methods and\n       procedures; analytical procedures; calibration and maintenance of\n       instruments and equipment; proficiency testing of analysts; corrective\n       action for discrepancies and errors; and review of case files, reports,\n       safety, and previous audits. The FBI\xe2\x80\x99s NDIS operational procedures\n       state that, after January 1, 2002, an external laboratory review is\n       required to be performed by personnel who have successfully completed\n       the FBI\xe2\x80\x99s training course for conducting such reviews.\n\n\n       12\n            The QAS require that laboratories undergo annual audits. The QAS requires that\nevery other year the audit must be performed by an external agency that performs DNA\nidentification analysis and is independent of the laboratory being reviewed. These audits\nare not required by the QAS to be performed in accordance with the Government Auditing\nStandards (GAS) and are not performed by the Department of Justice Office of the\nInspector General. Therefore, we refer to the QAS audits as reviews (either an internal\nlaboratory review or an external laboratory review, as applicable) to avoid confusion with\nour audits that are conducted in accordance with GAS.\n\n\n                                          - 15 -\n\x0c                                                                             APPENDIX I\n\n\n       As permitted by GAS 7.42 (2007 revision), we generally relied on the\n       results of the Laboratory\xe2\x80\x99s external laboratory reviews to determine if\n       the Laboratory complied with the QAS. 13 In order to rely on the work\n       of non-auditors, GAS requires that we perform procedures to obtain\n       sufficient evidence that the work can be relied upon. Therefore, we:\n       (1) obtained evidence concerning the qualifications and independence\n       of the individuals who conducted the review, and (2) determined that\n       the scope, quality, and timing of the audit work performed was\n       adequate for reliance in the context of the current audit objectives by\n       reviewing the evaluation procedure guide and resultant findings to\n       understand the methods and significant assumptions used by the\n       individuals conducting the reviews. Based on this work, we\n       determined that we could rely on the results of the Laboratory\xe2\x80\x99s\n       external laboratory review.\n\n   \xe2\x80\xa2   Interviewed Laboratory officials to identify management controls,\n       Laboratory operational policies and procedures, Laboratory certifications\n       or accreditations, and analytical information related to DNA profiles.\n\n   \xe2\x80\xa2   Toured the Laboratory to observe facility security measures as well as\n       the procedures and controls related to the receipt, processing,\n       analyzing, and storage of forensic evidence and convicted offender DNA\n       samples.\n\n   \xe2\x80\xa2   Reviewed the Laboratory\xe2\x80\x99s written policies and procedures related to\n       conducting internal reviews, resolving review findings, and resolving\n       matches among DNA profiles in NDIS.\n\n   \xe2\x80\xa2   Reviewed supporting documentation for 5 of 46 NDIS matches to\n       determine whether they were resolved in a timely manner. The\n       Laboratory provided the universe of NDIS matches as of April 12, 2010.\n       The sample was judgmentally selected to include both case-to-case and\n       case-to-offender matches. This non-statistical sample does not allow\n       projection of the test results to all matches.\n\n   \xe2\x80\xa2   Reviewed supporting documentation to determine whether the\n       Laboratory provided adequate vendor oversight.\n\n\n\n       13\n           We also considered the results of the Laboratory\xe2\x80\x99s internal laboratory review, but\ncould not rely on it because it was not performed by personnel independent of the\nLaboratory. Further, as noted in Appendix II, we performed audit testing to verify\nLaboratory compliance with specific Quality Assurance Standards that have a substantial\neffect on the integrity of the DNA profiles uploaded to NDIS.\n\n\n                                           - 16 -\n\x0c                                                                  APPENDIX I\n\n\n  \xe2\x80\xa2   Reviewed the case files for selected forensic DNA profiles to determine if\n      the profiles were developed in accordance with the Forensic QAS and\n      were complete, accurate, and allowable for inclusion in NDIS.\n\n  \xe2\x80\xa2   The NDIS Custodian, via the contractor used by the FBI to maintain\n      NDIS and the CODIS software, provided a printout identifying the 740\n      STR forensic profiles the Laboratory had uploaded to NDIS as of\n      March 25, 2010. We limited our review to a sample of 100 profiles.\n      This sample size was determined judgmentally because preliminary\n      audit work determined that risk was not unacceptably high.\n\n  \xe2\x80\xa2   Using the judgmentally determined sample size, we randomly selected a\n      representative sample of labels associated with specific profiles in our\n      universe to reduce the effect of any patterns in the list of profiles\n      provided to us. However, since the sample size was judgmentally\n      determined, the results obtained from testing this limited sample of\n      profiles may not be projected to the universe of profiles from which the\n      sample was selected.\n\n      The objectives of our audit concerned the Laboratory\'s compliance with\nrequired standards and the related internal controls. Accordingly, we did not\nattach a separate statement on compliance with laws and regulations or a\nstatement on internal controls to this report. See Appendix II for detailed\ninformation on our audit criteria.\n\n\n\n\n                                     - 17 -\n\x0c                                                                APPENDIX II\n\n                             AUDIT CRITERIA\n\n\n      In conducting our audit, we considered the NDIS participation\nrequirements and the Quality Assurance Standards (QAS). However, we did\nnot test for compliance with elements that were not applicable to the\nLaboratory. In addition, we established standards to test the completeness\nand accuracy of DNA profiles as well as the timely notification of DNA profile\nmatches to law enforcement.\n\nNDIS Participation Requirements\n\n       The NDIS participation requirements, which consist of the\nMemorandum of Understanding (MOU) and the NDIS operational procedures,\nestablish the responsibilities and obligations of laboratories that participate\nin NDIS. The MOU requires that NDIS participants comply with federal\nlegislation and the QAS, as well as NDIS-specific requirements\naccompanying the MOU in the form of appendices. We focused our audit on\nspecific sections of the following NDIS operational procedures.\n\n   \xe2\x80\xa2   DNA Data Acceptance Standards\n   \xe2\x80\xa2   DNA Data Accepted at NDIS\n   \xe2\x80\xa2   Quality Assurance Standards (QAS) Audits\n   \xe2\x80\xa2   NDIS DNA Autosearches\n   \xe2\x80\xa2   Confirm an Interstate Candidate Match\n   \xe2\x80\xa2   General Responsibilities\n   \xe2\x80\xa2   Initiate and Maintain a Laboratory\xe2\x80\x99s Participation in NDIS\n   \xe2\x80\xa2   Security Requirements\n   \xe2\x80\xa2   CODIS Users\n   \xe2\x80\xa2   CODIS Administrator Responsibilities\n   \xe2\x80\xa2   Access to, and Disclosure of, DNA Records and Samples\n   \xe2\x80\xa2   Upload of DNA Records\n   \xe2\x80\xa2   Expunge a DNA Record\n\nQuality Assurance Standards\n\n      The FBI issued two sets of Quality Assurance Standards (QAS): QAS\nfor Forensic DNA Testing Laboratories, effective July 1, 2009 (Forensic QAS);\nand QAS for DNA Databasing Laboratories, effective July 1, 2009 (Offender\n\n\n\n                                     - 18 -\n\x0c                                                                 APPENDIX II\n\nQAS). The Forensic QAS and the Offender QAS describe the quality\nassurance requirements that the Laboratory should follow to ensure the\nquality and integrity of the data it produces.\n\n       For our audit, we generally relied on the reported results of the\nLaboratory\xe2\x80\x99s most recent annual external review to determine if the\nLaboratory was in compliance with the QAS. Additionally, we performed\naudit work to verify that the Laboratory was in compliance with the QAS\nlisted below because they have a substantial effect on the integrity of the\nDNA profiles uploaded to NDIS.\n\n   \xe2\x80\xa2   Facilities (Forensic QAS and Offender QAS 6.1): The laboratory shall\n       have a facility that is designed to ensure the integrity of the analyses\n       and the evidence.\n\n   \xe2\x80\xa2   Evidence Control (Forensic QAS 7.1): The laboratory shall have and\n       follow a documented evidence control system to ensure the integrity of\n       physical evidence. Where possible, the laboratory shall retain or return\n       a portion of the evidence sample or extract.\n\n   \xe2\x80\xa2   Sample Control (Offender QAS 7.1): The laboratory shall have and\n       follow a documented evidence control system to ensure the integrity of\n       physical evidence.\n\n   \xe2\x80\xa2   Analytical Procedures (Forensic QAS and Offender QAS 9.5): The\n       laboratory shall monitor the analytical procedures using [appropriate]\n       controls and standards.\n\n   \xe2\x80\xa2   Review (Forensic QAS 12.1): The laboratory shall conduct\n       administrative and technical reviews of all case files and reports to\n       ensure conclusions and supporting data are reasonable and within the\n       constraints of scientific knowledge.\n\n       (Offender QAS Standard 12.1): The laboratory shall have and follow\n       written procedures for reviewing DNA records and DNA database\n       information, including the resolution of database matches.\n\n   \xe2\x80\xa2   [Reviews] (Forensic QAS and Offender QAS 15.1 and 15.2): The\n       laboratory shall be audited annually in accordance with [the QAS]. The\n       annual audits shall occur every calendar year and shall be at least 6\n       months and no more than 18 months apart.\n\n       At least once every 2 years, an external audit shall be conducted by an\n       audit team comprised of qualified auditors from a second agency(ies)\n\n\n\n                                     - 19 -\n\x0c                                                               APPENDIX II\n\n      and having at least one team member who is or has been previously\n      qualified in the laboratory\xe2\x80\x99s current DNA technologies and platform.\n\n  \xe2\x80\xa2   Outsourcing (Forensic QAS and Offender QAS Standard 17.1): A vendor\n      laboratory performing forensic and database DNA analysis shall comply\n      with these Standards and the accreditation requirements of federal law.\n\n      Forensic QAS 17.4: An NDIS participating laboratory shall have and\n      follow a procedure to verify the integrity of the DNA data received\n      through the performance of the technical review of DNA data from a\n      vendor laboratory.\n\n      Offender QAS Standard 17.4: An NDIS participating laboratory shall\n      have, follow and document appropriate quality assurance procedures to\n      verify the integrity of the data received from the vendor laboratory\n      including, but not limited to, the following: random reanalysis of\n      database, known or casework reference samples; inclusion of quality\n      control samples; performance of an on-site visit by an NDIS\n      participating laboratory or multi-laboratory system outsourcing DNA\n      sample(s) to a vendor laboratory or accepting ownership of DNA data\n      from a vendor laboratory.\n\nOffice of the Inspector General Standards\n\n       We established standards to test the completeness and accuracy of\nDNA profiles as well as the timely notification of law enforcement when DNA\nprofile matches occur in NDIS. Our standards are listed below.\n\n  \xe2\x80\xa2   Completeness of DNA Profiles: A profile must include each value\n      returned at each locus for which the analyst obtained results. Our\n      rationale for this standard is that the probability of a false match\n      among DNA profiles is reduced as the number of loci included in a\n      profile increases. A false match would require the unnecessary use of\n      laboratory resources to refute the match.\n\n  \xe2\x80\xa2   Accuracy of DNA Profiles: The values at each locus of a profile must\n      match those identified during analysis. Our rationale for this standard\n      is that inaccurate profiles may: (1) preclude DNA profiles from being\n      matched and, therefore, the potential to link convicted offenders to a\n      crime or to link previously unrelated crimes to each other may be lost;\n      or (2) result in a false match that would require the unnecessary use\n      of laboratory resources to refute the match.\n\n  \xe2\x80\xa2   Timely Notification of Law Enforcement When DNA Profile Matches\n      Occur in NDIS: Laboratories should notify law enforcement personnel\n\n\n                                   - 20 -\n\x0c                                                         APPENDIX II\n\nof NDIS matches within 2 weeks of the match confirmation date,\nunless there are extenuating circumstances. Our rationale for this\nstandard is that untimely notification of law enforcement personnel\nmay result in the suspected perpetrator committing additional, and\npossibly more egregious crimes, if the individual is not deceased or\nalready incarcerated for the commission of other crimes.\n\n\n\n\n                              - 21 -\n\x0c                                                                                        APPENDIX III\n                                                         U.S. Department of Justice\n                                                         Federal Bureau of Investigation\n\n                                                         Washington, D. C. 20535-0001\n\n                                                         July 26, 2010\nMr. David M. Sheeren\nRegional Audit Manager\nDenver Regional Audit Office\nOffice of the Inspector General\n1120 Lincoln, Suite 1500\nDenver, CO 80203\nDear Mr. Sheeren:\n\n       Your memorandum to Director Mueller forwarding the draft report of the audit\nconducted at the Houston Police Department Crime Laboratory, Houston, Texas (Laboratory) has\nbeen referred to me for response.\n       Your draft report contained one recommendation relating to the Laboratory\'s\ncompliance with the FBI\'s Memorandum of Understanding and Quality Assurance Standards for\nForensic DNA Testing Laboratories (QAS). As you noted in the draft report, compliance with the\nQAS and Memorandum of Understanding is required for forensic laboratories participating in NDIS.\nThe CODIS Unit has reviewed your draft report and offers the following comments.\n\n        With respect to recommendation one relating to the FBI ensuring that an FBI-trained\nDNA auditor is on the audit team for all audits of the Laboratory, the FBI Quality Assurance Audit\nDocument currently addresses this matter. Standard 15.3 requires "a self-verification by the auditor(s) to\nensure that the auditor, or the auditing team, consists of appropriately qualified individuals. This\ncertification should be obtained and documented prior to the beginning of the audit and maintained by\nthe laboratory." Further, "[r]egardless of the audit (internal or external), it is the laboratory\'s\nresponsibility to ensure...that there is at least one person who is a qualified auditor on the audit team."\nA qualified auditor is defined as "a current or previously qualified DNA analyst who has successfully\ncompleted the FBI DNA Auditor\'s training course."\n\n       The CODIS Unit has recognized that additional guidance was needed on the issue of\nphysical security of CODIS servers and revised its procedure to ensure appropriate physical security\nfor CODIS and NDIS. The physical security of the LDIS server is adequate provided that only\nauthorized personnel have physical access to the server. Authorized personnel are those who are\nCODIS users in addition to other personnel approved by the Laboratory. If you require a copy of the\nrevised NDIS Procedure, please contact the CODIS Unit.\n        Thank you for sharing the draft audit report with us. If you have any questions, please\nfeel free to contact Jennifer Luttman, Chief of the CODIS Unit, at (703) 632-8315.\n                                                  Sincerely,\n                                                  /s/\n                                                  Alice R. Isenberg\n                                                  Section Chief\n                                                  Biometrics Analysis Section\n                                                  FBI Laboratory\n\n                                                - 22 -\n\x0c                                                                                                         APPENDIX IV\n\n\n\n                                                                     CITY OF HOUSTON\n                                                                                               Houston Police Department\nAnnise D. Parker, Mayor                                                  1200 Travis Houston, Texas 77002-6000 713/308-1600\n\nCITY COUNCIL MEMBERS: Brenda Stardig Jarvis Johnson Anne Clutterbuck Wanda Adams Michael Sullivan Al Hoang Oliver Pennington Edward Gonzalez\nJames G. Rodriguez Stephen C. Costello Sue Lovell Melissa Noriega C. O. "Brad" Bradford Jolanda "Jo" Jones CITY CONTROLLER: Ronald C. Green\n\n\n         July 13, 2010                                                                           Charles A. McClelland, Jr.\n                                                                                                      Chief of Police\n\n         David M. Sheeren, Regional Audit Manager\n         U.S. Department of Justice, Office of the Inspector General\n         1120 Lincoln Street, Suite 1500\n         Denver, Colorado 80203\n\n         Dear Mr. Sheeren:\n\n         We have reviewed the draft audit report on the Compliance with Standards Governing Combined\n         DNA System Activities at the Houston Police Department Crime Laboratory attached to your\n         correspondence dated June 25th, 2010.\n\n         We would like to first inform you that we appreciated Xxxxxx Xxxxxxxxx and Xxxx\n         Xxxxxxxxx professionalism and thoroughness during the audit process.\n\n         The following are comments regarding the results of the review noted on the Executive\n         Summary:\n\n         OIG Result\n         With regard to the Laboratory\xe2\x80\x99s compliance with NDIS participation requirement, we found that\n         the CODIS server was not properly secured. In response to this finding, the Laboratory installed\n         a key lock and removed the wheels from a cabinet containing the server to make it less mobile.\n\n         HPD Response/Clarification\n         The CODIS server is located in the Forensic Biology Section on the 26th Floor of 1200 Travis.\n         The server is maintained in an area dedicated to the use of forensic biology. Access to this area\n         is controlled via electronic badge access in addition to keyed locks. Only authorized individuals\n         have been granted access to this area. The network connected to the CODIS server is also\n         separate from the remainder of the building.\n\n         The CODIS server connects to a router located in the NIBIN work area of the Firearm Section on\n         the 24th floor of 1200 Travis. This router connects the CODIS to a T1 line which is then routed\n         out of the facility. The router is housed in a now-locked, non-portable cabinet. Like the CODIS\n\n\n\n\n                                                                 - 23 -\n\x0c                                                                       APPENDIX IV\n\nserver, this cabinet is also in a restricted area with access that is controlled by\nelectronic badge access in addition to keyed locks.\n\nOIG Result\nWe also found that the Laboratory did not have a policy to maintain personnel\nrecords for the required 10 years. In addition, the Laboratory revised its DNA\nStandard Operating Procedure manual to reflect the 10-year retention policy.\n\nHPD Response/Clarification\nThe Department\xe2\x80\x99s policy is to retain \xe2\x80\x9cpersonnel\xe2\x80\x9d records permanently. The\nrecords reviewed during the audit included quality system files such as\nproficiency tests of staff. While the interim process will be to maintain the\nquality files for 10 years, our long term plan is to merge these files with personnel\nfiles for permanent storage.\n\nGeneral Comments:\nLaboratory Information-Page 6 of OIG Report\n\xe2\x80\x9cThe Houston Police Department\xe2\x80\x99s Chief of Police requested deactivation from\nCODIS in March 2003 due to concerns about the quality of the analyses being\nperformed. This situation was remedied by a change in Laboratory personnel, and\nthe remaining staff underwent training.\xe2\x80\x9d\n\nHPD Comment\nThe situation was remedied by not only the replacement of staff conducting DNA testing\nbut the replacement of the DNA Technical Leader and Lab Director. A comprehensive\nreview and re-testing of previously tested DNA cases was conducted. In addition to\nimplementing an extensive quality assurance program which included training of\nremaining staff, an independent review was conducted of some of the Biology Section\xe2\x80\x99s\nwork dating back to 1980.\n\n\nIf you have any questions, please contact me at 713-308-2636.\n\n\n\n                                                       Sincerely,\n\n\n                                                       /S/\n                                                       Irma Rios, Director\n                                                       Crime Lab Division\nir:ir\n\n\n\n\n                                      - 24 -\n\x0c                                                               APPENDIX V\n\n              OFFICE OF THE INSPECTOR GENERAL\n             ANALYSIS AND SUMMARY OF ACTIONS\n               NECESSARY TO CLOSE THE REPORT\n\n\n      The OIG provided a draft of this audit report to the FBI and the\nHouston Police Department\xe2\x80\x99s Crime Laboratory. The FBI\xe2\x80\x99s response is\nincorporated in Appendix III of this final report, and the Houston Police\nDepartment\xe2\x80\x99s response is incorporated in Appendix IV. We made changes to\nthe report where appropriate, based on our follow up of information\ncontained in the responses.\n\nAnalysis of the Houston Police Department\xe2\x80\x99s Response\n\n      In response to our audit report, the Houston Police Department\xe2\x80\x99s\nCrime Laboratory concurred with our recommendation and discussed the\nactions it will implement in response to our finding. Additionally, the\nHouston Police Department provided clarification regarding the location of\nthe CODIS server. At the time of our audit, a laboratory representative\nconducting a tour of the Crime Laboratory space, indicated that the CODIS\nserver was located in a controlled area two floors below the CODIS\nlaboratory. We relied on this representation in preparing our draft report.\nHowever, based on the information provided in the Houston Police\nDepartment\xe2\x80\x99s response to the draft report and our follow up on the issue, we\nhave updated our final report to accurately reflect the location of the CODIS\nserver.\n\n      The Houston Police Department\xe2\x80\x99s response also provided additional\ninformation regarding retention of all necessary personnel records. We have\nadded language in our report to clarify this issue.\n\nAnalysis of the FBI\xe2\x80\x99s Response\n\n      The FBI also concurred with our recommendation and provided\nadditional information regarding the physical security of the CODIS server.\n\n  1. Resolved. The FBI concurred with our recommendation to ensure\n     that the Houston Police Department\xe2\x80\x99s Crime Laboratory implements\n     procedures to verify that an FBI trained DNA auditor is on the audit\n     team for all QAS-required audits. This recommendation can be closed\n     when we receive a copy of the Laboratory\xe2\x80\x99s procedure requiring it to\n     verify that an FBI trained DNA auditor conducts all QAS\xe2\x80\x93required\n     audits.\n\n\n\n                                   - 25 -\n\x0c'